What firewall rules do I need for cert-manager on LKE?
Hey, I been following the doc:
This works fine with no firewall rules, I can secure with TLS fine.
If I have the firewall rules (detailed below, all outbound is allowed, all inbound is denied unless there is a rule) the cert-manager check api fails (not the case if I disable the firewall). Am I missing a rule here?
inbound {
label = "allow-http"
action = "ACCEPT"
protocol = "TCP"
ports = "80"
ipv4 = ["0.0.0.0/0"]
ipv6 = ["ff00::/8"]
}
inbound {
label = "allow-https"
action = "ACCEPT"
protocol = "TCP"
ports = "443"
ipv4 = ["0.0.0.0/0"]
ipv6 = ["ff00::/8"]
}
inbound {
label = "allow-cert-manager"
action = "ACCEPT"
protocol = "TCP"
ports = "6443"
ipv4 = ["192.168.128.0/17"]
}
inbound {
label = "allow-cert-manager"
action = "ACCEPT"
protocol = "TCP"
ports = "9402"
ipv4 = ["192.168.128.0/17"]
}
Using this port for cert-manager - I specify this via helm.
inbound {
label = "allow-cert-manager"
action = "ACCEPT"
protocol = "TCP"
ports = "10260"
ipv4 = ["192.168.128.0/17"]
}
# https://www.linode.com/community/questions/19155/securing-k8s-cluster
inbound {
label = "kubelet-health-checks"
action = "ACCEPT"
protocol = "TCP"
ports = "10250"
ipv4 = ["192.168.128.0/17"]
}
inbound {
label = "kubelet-proxy"
action = "ACCEPT"
protocol = "UDP"
ports = "51820"
ipv4 = ["192.168.128.0/17"]
}
inbound {
label = "calico-bgp"
action = "ACCEPT"
protocol = "TCP"
ports = "179"
ipv4 = ["192.168.128.0/17"]
}
inbound {
label = "kubernetes-node-ports"
action = "ACCEPT"
protocol = "TCP"
ports = "30000-32767"
ipv4 = ["0.0.0.0/0"]
}
inbound {
label = "kubernetes-node-ports"
action = "ACCEPT"
protocol = "UDP"
ports = "30000-32767"
ipv4 = ["0.0.0.0/0"]
}
1 Reply
jtoscani
Linode Staff
When dealing with firewalls and LKE you can ensure the ports utilized by the components of the LKE control plane are not being impeded:
https://kubernetes.io/docs/reference/ports-and-protocols/
Based on the output you shared it looks like some rules need to be added to allow a few of the ports listed in the link above.